In-depth security news and investigation

Posts Tagged: Treasury Inspector General for Tax Administration

Intuit: Anti-fraud Improvements by IRS Fuel Up To 3700 Percent Rise in Phony State Filings

Scam artists stole billions of dollars last year from the U.S. Treasury by filing phony federal tax refund requests on millions of Americans. But as Uncle Sam has made this type of fraud harder for thieves to profit from, the crooks have massively shifted their focus to conducting refund fraud at the state level. Or at least according to Intuit Inc., the makers of TurboTax: The company says it believes that shift is responsible for a whopping 3700 percent increase in fraudulent state tax refund filings this year in some states.

File ’em Before the Bad Guys Can

Earlier this month, TurboTax was forced to briefly suspend state tax refund filings while it investigated the source of the unprecedented fraud spike. To learn more about the run-up to this extraordinary step and other tax fraud trends this year, I talked with Indu Kodukula, chief information security officer at Intuit.

Kodukula explained that in years past the dominant form of tax return scams the company has dealt with stemmed from phony federal tax refund requests. But this tax season, things changed dramatically.

“The IRS has gotten much better than a few years ago from the perspective of fighting fraud,” Kodukula said. “We think what’s happening is that as a result the fraudsters are starting to target the states.”

The data released by the Treasury Inspector General for Tax Administration (TIGTA), which oversees the work of the IRS, suggests the IRS does indeed appear to have improved at flagging and ultimately denying fraudulent federal tax returns. In an interim report on the 2014 tax filing season, TIGTA said the IRS identified and confirmed 28,076 fraudulent tax returns involving identity theft. That was down significantly from a year earlier (PDF), when the IRS identified and confirmed 85,385 fraudulent tax returns involving identity theft.

THE ROLE OF UNLINKED RETURNS

Kodukula said tax fraudsters have evolved in response to increased information sharing by the IRS with state revenue departments about phony tax returns received at the federal level. He described a process that began about three years ago, when Intuit and TurboTax received express permission from the IRS to share information about suspected bogus tax refund requests.

“It has been our understanding that this information is in turn being shared with [state treasury departments], Kodukula said. “But there are 46 states in the Union where taxpayers can file what’s called an ‘unlinked return,’ meaning they can file a state return without having a file a federal return at the same time. So when the [tax fraudsters] file an unlinked return, it leaves the state at its own disposal to fight this fraud, and we think that’s what has taken the states by surprise this year.”

States allow unlinked returns because most taxpayers owe taxes at the federal level but are due refunds from their state. Thus, unlinked returns allow taxpayers who owe money to the IRS to pay some or all of that off with state refund money.

Unlinked returns typically have made up a very small chunk of Intuit’s overall returns, Kodukula said. However, so far in this year’s tax filing season, Intuit has seen between three and 37-fold increases in unlinked, state-only returns. Convinced that most of those requests are fraudulent, the company now blocks users from filing unlinked returns via TurboTax.

“It’s very hard to imagine a fundamental demographic shift that could cause that kind of pattern,” Kodukula said. “Our thought is that the vast majority of this is clearly not legitimate activity.”

ACCOUNT TAKEOVERS FUELED BY PASSWORD RE-USE

Not only have the fraudsters shifted from attacking the IRS to robbing state coffers, but the methods they use to steal taxpayer data also are evolving. Kodukula explained that traditionally most of the bogus refund requests were the result of what the company calls “stolen identity refund fraud” or SIRF. In SIRF scams, the thieves gather pieces of data about taxpayers from outside means — through phishing attacks or identity theft services in the underground, for example — then create accounts at TurboTax in the victims’ names and file fraudulent tax refund claims with the IRS.

But Kodukula said that over the past 18 months, Intuit has watched fraudsters shift from SIRF to account takeovers, wherein scammers compromise TurboTax credentials by exploiting human nature: The tendency for people to re-use passwords across multiple sites. This technique works because a fair percentage of users re-use passwords at multiple sites. When a breach at one site exposes the email addresses and passwords of its users, fraudsters will invariably try the stolen account credentials at other sites, knowing that a small percentage of them will work. Continue reading →